The present invention relates generally to computer security and, more particularly, to security apparatus and methods for use with computers connected to a computer network, such as the Internet or an intranet.
The growth of the Internet has provided an enormous information resource to the millions of computer users around the world. The Internet permits a user from practically anywhere in the world to access another computer anywhere else in the world without much effort by utilizing easy to remember computer domain names. It is just as easy for a computer hacker to access an innocent computer user""s hardware, software, and information. Especially, with the fast connection services provided by today""s Internet service providers (ISPs), the hackers have an even easier time breaking into home and small office computers.
The ease in hacking is partly possible because of the increasing availability of high-speed Internet digital subscriber line (DSL) and its varieties such as asynchronous DSL (ADSL) and high-bit-rate DSL (HDSL), and cable modem. These services provide not only a much faster connection but also a service that is always on. Additionally, a more mature broadband Internet service, called integrated services digital network (ISDN), continues to pose a similar threat. Accordingly, hackers can break into unsecured systems faster because of the higher speeds, and whenever they want to because of the always-on services. Additionally, because of already available tools, hackers have an even easier task. See, for example, the article entitled xe2x80x9cTools of the Tradexe2x80x9d by Edward Skoudis, in the March 1999 issue of Information Security Magazine, which is hereby incorporated herein by reference for all purposes. With these types of tools, someone can remotely control or clandestinely observe all activity on the targeted machine. Moreover, hackers can get access to even a basic PC or Mac through a variety of methods, such as e-mailing a program that inserts a hidden back door or exploiting openings designed for file or printer sharing. Also, since computers are becoming easier to use and cheaper to own, more and more computer users are utilizing their computers for keeping track of their finances, personal communications, remote access to their office systems, and maintaining other types of confidential information. Hackers love this vast amount of information readily available on a personal computer.
Generally, each computer connected to the Internet has a unique Internet protocol (IP) address. Hackers often flood a target computer network with many IP address requests to identify potential targets on that network. Once hackers learn the IP address of a target, they flood that computer with many requests to determine through which xe2x80x9cdoorxe2x80x9d they can enter the target. The doors for computers are called service ports. Each service is assigned its own port number. For example, port 23 is for Telnet services, which allows a remote user to login to a computer and access information on its hard drive. Hackers will probe all the known ports they can, until they find an open port. Once in the system, hackers can do as they wish, including open other service ports or even crash the system.
There are currently 65,663 service ports available for transmission control protocol/Internet protocol (TCP/IP) communications, which is the general communication protocol for the Internet. There are two types of service ports: privileged and unprivileged. The server service ports generally have a port number below 1,024, which are known as privileged ports and can be assigned to specific services. Conversely, the client service ports have a port number at least 1,024. Most of the service ports on computers are not used today. Consequently, if a hacker can use one of these unused service ports to access information, the unauthorized use will most likely not interfere with the authorized services already in use. Another risk is that some of these service ports can give direct access to computers"" storage devices.
There are numerous hardware and software solutions (called xe2x80x9cfirewallsxe2x80x9d) already available on the market for securing computers. The hardware-based solutions, however, are generally designed to protect a corporate intranet or a network segment, and are often impractical and too complex for implementation at home, for a small business, or for users on the road. These systems are generally designed to manage the security of multiple network addresses and log all network activity through a given device. At a minimum, these systems require a knowledgeable information systems (IS) personnel to install and/or maintain, who come at a fairly significant cost.
Similarly, present software solutions are often cumbersome to use because they must often be installed on a computer system to be protective. These solutions may pose conflicts with other software installed on that computer system. Another issue is that when installing new software or upgrading old software, the firewall software may be accidentally disabled or overwritten, leaving an open door for the hackers. Also, like other software solutions, software-only security is inherently easier to break into because the security software can reside on a remotely accessible computer.
These firewalls can also be very complex. For example, they can block certain IP addresses from accessing a target system based on a certain number of connection attempts. Other solutions incorporate features such as virtual private networking (VPN) which utilizes encryption. Yet others use association to permit a connection or use sophisticated knowledge databases. Accordingly, these firewalls often far exceed the needs of a single client workstation or a small office/home office (SOHO) environment.
No matter how sophisticated a computer security system, most experts agree that it can still be breached. Every year, computer hackers cost computer users millions of dollars in lost data, man-hours, and lost trade secrets. With hacking on the rise, as indicated by a study conducted by International Computer Security Association (ICSA) and Global Integrity Corporation, along with the growth of high speed networking to the home, the hacking of home-based and notebook computers can be a starting point for novice hackers, and quite possibly a stepping-stone into corporate networks.
Additionally, the present security solutions often have their own IP addresses which readily allows these security solutions to be identified as targets. In the case of software solutions, the loophole IP address would be the same as the computer on which it is installed. In case of the hardware solutions, the IP address is often provided so that the firewall can be configured via, for example, a remote terminal on the secured network.
Therefore, what is needed is a simple to implement, inexpensive, relatively fast, efficient, and non-user configurable solution for a computer user at home, on the road, or in a small office, to be able to protect itself from computer hackers.
According to the present invention, a technique is disclosed for filtering data packets using novel apparatus and methods by providing authorization data. In an embodiment, the authorization data is non-user configurable. In a specific embodiment, the term non-configurable generally means that the user does not have to adjust settings on the present device and/or the computer on the protected local area network, wide area network, or private network. The invention provides an efficient, quick, secure, and simple to implement technique for secure computer communication, in part, by utilizing service level filtering of data packets.
In a preferred embodiment, a method for filtering a plurality of data packets is provided. The method includes receiving a data packet. The received data packet comprises source, destination, and protocol information. The method extracts the source, destination, and protocol information from the received data packet and provides the extracted information to a non-user configurable decision block. The decision block includes information about which services are authorized based on the extracted information. In a specific embodiment, the decision block information is substantially unrelated to an IP address of the data packet to allow the non-user configurable decision block to operate without knowledge of any IP addresses in the IP header, for example, (e.g., destination address, source address). The method drops the received data packet if the extracted information indicates a request for access to an unauthorized service. Alternatively, the method permits the received data packet to go through if the extracted information indicates a request for access to an authorized service.
In a further embodiment, a computer security apparatus is disclosed. The apparatus includes a communication interfaces coupled to a public network and a private network. The apparatus also includes a packet analyzer. The packet analyzer only permits data packets for a selected group of services to be communicated between the private and public networks.
In yet another embodiment, the packet analyzer includes a lookup table device that is non-configurable by a computer user. The packet analyzer can also include storage units for the protocol, destination port, and source ports of the data packet being analyzed. The lookup table can be coupled to the protocol storage, the source port storage, and the destination port storage devices. The lookup table can determine whether the data packet should be authorized to be forwarded through the computer security apparatus.
In still a further embodiment, the present invention provides a method for for converting an unsecured digital transmission line into a secured digital transmission line for transmission of digital data. The digital data are selected from a transmission medium selected from cable modem, xDSL, and other network communications.
Advantages of the invention include a simple to implement system for securing computer communications. The invention also provides quick performance because the filtering technique only evaluates limited information contained within a data packet. Additionally, the invention provides a technique for secure computer communication without regard for the cumbersome IP address evaluations performed by the prior art. Yet another advantage of the present invention is providing a non-user configurable security which blocks remote hacking attempts.
Further understanding of the nature and advantages of the invention may be realized by reference to the remaining portions of the specification and drawings.